Main Menu

Managing online risk – beyond the basics

I had a conversation recently with someone who’s a ‘high value target’ about how to stay safe online and recalled an article earlier this year that a famous actress no longer will take selfies with fans because they include time and location information, as well as what she’s currently wearing. She’s worried about stalkers. While not exclusive to folks like celebrities and politicians – they really do have different threat models – we can all learn from their situation to help protect ourselves.

So this builds on my previous post about staying safe online, and touches on some of the same things, but unlike that one where the advice is broadly applicable, much in this one is about tradeoffs and risk tolerance. Follow that previous advice, then check below for updates and more ideas.

Passwords

I continue to recommend 1Password from AgileBits as a password manager, especially with the new features (I’m a paid customer, and happy to be one). Yet it depends on having a secure passphrase, and none of the old techniques (e.g. using the first letter of the words in a phrase) have enough entropy to resist modern attacks. Instead use a long sentence – something like ‘shark tornado pine tree Snowman h3ll0’ – length is king. If you do that, and don’t get hit with a keylogger, you probably will never need to change it. Don’t worry, after a bit muscle memory makes it easy to type. Ditto on the password to unlock your computer.

Yes, this is somewhat inconvenient. But it’s not optional for anyone these days – we’re all high value targets.

Vendors

There is no such thing as a free puppy – everything has costs, and someone’s always getting paid. If you’re not paying, most likely they’re selling your personal information either ‘anonymized’ (which is often poorly done and reversible), or outright as your individual data. Companies hide behind massive EULA’s that no one reads, change terms and settings on a regular basis, and in some cases resort to dissembling, distracting and outright misleading statements – even to Congress.

So you need to choose what vendors you do business with. I carry Apple devices because their business model isn’t based on exploiting their customers. Do they gather data? Sure. Do they also have an advertising business? Yep. But of the options out there, they’re by far the best option. I severely limit how and which social networks I use, including things like secure messaging (I use Signal instead), and would absolutely never use that identity to login to any other site or service. Likewise, I’m in the process of switching my search engine default to DuckDuckGo (though I will use Bing, and then Google in a private window if I don’t get good results).

Two/Multi-Factor

Simply put, enable it. If your vendor doesn’t offer it, or only offers SMS based solutions, complain or find a new one. For most of us, SMS is better than nothing, but for a high-value target, spoofing SIM cards has become so easy that you need to move on to a vendor with a modern approach.

Apple has built 2FA into their devices, and 1Password now has integrated 2FA capability for most other sites. App-based 2FA like Authy or 1Password even allows you to have multiple trusted devices, while others like Microsoft, only support a single device, which is a risk itself. Note that this makes having a long and strong 1Password passphrase all that more important! Look for companies that support the TOTP standard.

Verbal passwords & Security Questions

This is so important I’m reviewing it again from the previous post. Call every business you work with and add a verbal password to the account (store it in 1Password of course). If the only field they have is ‘mother’s maiden name’, first, consider terminating your business relationship with them and switching to a vendor that cares about identity theft. If you can’t, then at least create a unique word for each one – none of which can be found on your social media sites. If they only offer the last four of SSN, won’t disable it as an option, and won’t add a verbal password, then find a new company to work with. Full stop. At this point that’s essentially negligent.

That’s one example of a ‘security’ question. For online accounts, my advice remains the same. Lie. Use unique lies for each one, recorded in 1Password. This is especiallycritical if you’re a public figure. Most of the celebrity hacks have come by resetting passwords using security questions where the information is on social media (more on that later).

Likewise, lie about birth day, lie about where you live, lie about your hair color – lie about anything that the company doesn’t have a legitimate business, regulatory, or functional need to know.

Even with good ones, I’m not a fan of using biometrics to unlock your password manager. Take the time and enter the passphrase.

For a public figure, I wouldn’t use them to unlock devices as there’s too many opportunities to capture information to spoof them. Instead use long complex passcodes (not a PIN!). This is a major inconvenience, so you’ll have to evaluate your threat model and see if it’s worth it. For myself, I allow the phone to unlock with TouchID (as of this writing FaceID seems to be secure, but I continue to be skeptical), but not my mac (as there’s no wipe feature on the computer), and absolutely don’t allow my watch to unlock the computer.

Email accounts

Your email account is the most important one to protect, because it’s how all your other passwords are reset. It absolutelymust have a robust random password on it. You should neveraccess it from a device you do not own, and I’d highly recommend using an application rather than a web browser.

Consider using a business-grade paid service for your email. It’ll allow you to separate your email account from the management account, so you can easily restore access if the email account is compromised. Paid services, like Microsoft Exchange Online, provide much better protection across the board – encryption at rest, better spam and malware protection, and 2FA. If you’re a high-value target, this is probably a mandatory change, and at around $4/month, well worth the investment.

See my original post for other email tips.

Location and Apps vs Browser

Location is of huge value to an advertising-based business model like Google Maps, Waze, Facebook, Instagram, and so on. For public figures, this is a safety issue, and for the rest of us, something to think about. For apps like Waze, I’d gladly pay for a ‘ad/tracking free and privacy first’ option, and hope that recent pressure moves companies like this to change their business model.

First, change the location privacy setting to ‘only while using’, and turn it off for apps that don’t need it (like Facebook). Unfortunately, some apps like Netflix and Hulu require location tracking so they can respect content contracts, including those nutty sports blackout areas. Be careful though, some apps are notorious for sharing more data than you intend, and in some cases, outright lie about what’s captured regardless of the settings.

Using a web browser prevents a lot of this – and if you put it into private mode and close your tabs on a regular basis, it’ll help prevent them from creating a dossier.

Pictures are the other big source of location leaks. Your GPS data and time stamps are included in the metadata every time you take a picture- that’s what the actress is concerned about. When I post photographs to my blog or LinkedIn, I export them from Lightroom and strip all metadata other than copyright. If you’re a high-value target, especially if you’re concerned about physical safety, you probably need to take explicit steps to avoid leaking your location this way.

VPN

Mobile and landline data carriers leverage DNS and other traffic analysis to target advertising and generate revenue off what you do. You can fix the DNS problem on your home network by changing to 9.9.9.9 (Quad9) or 1.1.1.1 (Cloudflare), and I use both (in that order) on my home network. 1.1.1.1 now has an iOS app that will tunnel your DNS queries to their servers rather than the mobile carrier, which is really cool!

Using a full VPN adds further protection, particularly if you’re on a public (e.g. hotel) network, but do you really need one? If you’re a high-value target, I’d argue yes, but not without risk as you’re transferring trust from one company to another and the VPN industry is notoriously shady (run away from anything free). For the record, I trust Cloudflare, and Quad9 (the latter alliance includes IBM). I do use a VPN but am not comfortable endorsing one – research carefully.

Data

Let me close with the piece of advice both obvious, and one we forget.

We all need to realize that we will have an account compromised at some point, and they will go after exactly what we most want kept private. Yet more than that: even if it’s not a hack, public posts can come back to haunt you in job interviews or other ways.

I want to be clear – I am notblaming anyone who’s been victimized by a hack, particularly where very personal/intimate information or photographs have been exposed. That’s a horrific invasion of privacy, and my sympathy goes out to those impacted by such a betrayal.

Unfortunately, the Internet never forgets. Please talk with your kids and make sure that they understand the risks, then go clean out your own archives.

Simply put, if it’s not online, it’s harder to steal. If it doesn’t exist, there’s no risk.